On Mon, 22 Jan 2007, Alexander Farber wrote:
> Hello,
>
> I'm writing a small network daemon program and
> want it to drop priviliges after it opens a listening port.
>
> I've looked at the several programs in /usr/src/usr.sbin
> and many do it in the similar way:
>
> 1) getpwnam(NTPD_USER) to find its home dir
> 2) check that the home dir belongs to root and isn't group-world writable
> 3) chroot() into that dir and then chdir("/")
> 4) setgroups(1, pw->pw_gid) to limit it to just 1 group
> 5) Finally call setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid)
> and setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)
>
> I have 2 questions:
>
> 1) Can't a compromised process change back to its saved root uid?
Not if you used setresuid.
> 2) Why is setresuid() used and not setuid()?
...
> What was the reason to introduce setresuid() on BSD?
See "Setuid Demystified" by Chen, Wagner and Dean:
http://www.cs.berkeley.edu/~daw/papers/setuid-usenix02.pdf
Micro-summary: setresuid is the only API with unambiguous semantics.
For OpenBSD, we adopted it as the standard way to revoke privileges.
Observation: for a system call that takes a single integer argument
to need a paper to demystify it is a sign that it should probably be
avoided.
> My program is
> for OpenBSD, but I also want to keep it runnable on Linux
> and Cygwin - and the latter one doesn't offer setresuid().
I recommend that you pick the best API available and implement/emulate
it where it doesn't exist. You will have to write compatibility code
regardless of your approach, so you are best off keeping this out of
your main program. See http://www.mindrot.org/~djm/auug2005/ for a
description of the portability approach we use for OpenSSH.
> Also is there maybe a good guide on priv. sep. on OpenBSD?
For privsep, Henning's daemons (OpenNTPd, OpenBGPd) are clean examples.
OpenSSH and syslogd are more complex ones.
(responding to your follow-up email:) Privilege revocation is a component
of privilege separation. Any daemon that starts with root privileges
and is privilege separated must revoke those privileges along the way,
so the above are good examples of privilege revocation too.
-d
